SERVFAIL
DNS response code 2: the resolver could not complete the query due to a server-side failure, often a broken DNSSEC chain or unreachable upstream.
SERVFAIL (RCODE 2) is the DNS equivalent of HTTP 500: the resolver tried to answer but something went wrong. The two most common causes are a broken DNSSEC chain (signatures expired, missing DS record after a key rollover) and an unreachable authoritative nameserver. Because resolvers cache SERVFAIL responses (briefly, but they do), a transient outage can linger for users after it appears fixed. SERVFAIL is distinct from NXDOMAIN: NXDOMAIN is a confident "this does not exist," SERVFAIL is "I cannot tell you."
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in PHP
- Build a DNS Resolver from Scratch in Python
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Lookups in Python: Complete Guide with dnspython
- DNS Queries in Node.js: dns.lookup vs dns.resolve Explained
- DNS Root Servers Explained: The 13 Servers That Run the Internet
- DNS Troubleshooting Tools: What the Pros Actually Use
- DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
- How DNS Queries Work: A Developer's Guide to the DNS Protocol
- How Expired Name Servers Become Domain Hijacking Vectors
- Phantom Domain Attack: How Unresponsive Domains Exhaust DNS Resolvers
- The Complete dig Command Guide: Every Flag and Option Explained
- Troubleshooting Common DNS Issues: A Step-by-Step Guide
- What Is DNS Cache Poisoning? How It Works and How to Prevent It
- What Is DNSSEC and Why Should You Enable It?
- What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response
- What Is SERVFAIL? Understanding DNS Server Failure Responses
- Why DNSSEC Is Still Failing: Lessons from 240 Million Domains